v3.10.7

@iarna iarna released this Aug 12, 2016 · 284 commits to latest since this release

v3.10.7 (2016-08-11)

Hi all, today's our first release coming out of the new monthly release cadence. See below for details. We're all recovered from conferences now and raring to go! We've got some pretty keen bug fixes and a bunch of documentation and dependency updates. It's hard to narrow it down to just a few, but of note are scoped packages in bundled dependencies, the preinstall lifecycle fix, the shrinkwrap and Git dependencies fix and the fix to a crasher involving cycles in development dependencies.

NEW RELEASE CADENCE

Releasing npm has been, for the most part, a very prominent part of our weekly process process. As part of our efforts to find the most effective ways to allocate our team's resources, we decided last month that we would try and slow our releases down to a monthly cadence, and see if we found ourselves with as much extra time and attention as we expected to have. Process experiments are useful for finding more effective ways to do our work, and we're at least going to keep doing this for a whole quarter, and then measure how well it worked out. It's entirely likely that we'll switch back to a more frequent cadence, specially if we find that the value that weekly cadence was providing the community is not worth sacrificing for a bit of extra time. Does this affect you significantly? Let us know!

SCOPED PACKAGES IN BUNDLED DEPENDENCIES

Prior to this release and v2.15.10, npm had ignored scoped modules found in bundleDependencies.

preinstall LIFECYCLE IN CURRENT PROJECT

BETTER SHRINKWRAP WITH GIT DEPENDENCIES

  • 0f7e319 #12718 Update outdated git dependencies found in shrinkwraps. Previously, if the module version was the same then no update would be completed even if the committish had changed. (@kossnocorp)

CYCLES IN DEVELOPMENT DEPENDENCIES NO LONGER CRASH

  • 1691de6 #13327 Fix bug where cycles found in development dependencies could result in infinite recursion that resulted in crashes. (@iarna)

IMPROVE "NOT UPDATING LINKED MODULE" WARNINGS

  • 1619871 #12893 Only warn about symlink update if version number differs The update-linked action outputs a warning that it needs to update the linked package, but can't, There is no need for the package to be updated if it is already at the correct version. This change does a check before logging the warning. (@DaveEmmerson)

MORE BUG FIXES

  • 8f8d1b3 #11398 Fix bug where package.json files that contained a type property could cause crashes. type is not a package.json property that npm makes use of and having it should be (and now is) harmless. (@zkat)
  • e7fa6c6 #13353 Add GIT_EXEC_PATH to Git environment whitelist. (@mhart)
  • c23af21 #13626 Use HTTPS issues URL in the error message for type validation errors. (@watilde)

INCLUDE npm login IN COMMAND SUMMARY

  • ab0c4b1 #13581 The login command has long been an alias for adduser. At the same time, there is an expectation not just of that particular word being something to look for, but of there being clear symmetry with logout. So it was a bit confusing when login didn't show up in npm help on a technicality. This seems like an acceptable exception to the rule that says "no aliases in npm help". (@zkat)

DOCUMENTATION

DEPENDENCIES

  • 124427e #8614 fstream-npm@1.1.1: Fixes bug with inclusion of scoped bundled dependencies. (@forivall)
  • 7e0cdff #13497 graceful-fs@4.1.5: graceful-fs had a bug fix which fixes a problem (nodejs/node#7846) exposed by recent changes to Node.js. (@thefourtheye)
  • 9b88cb8 #9984 request@2.74.0: Update request library to at least 2.73 to fix a bug where npm install would crash with Cannot read property 'emit' of null.
    Update request dependency tough-cookie to 2.3.0 to to address https://nodesecurity.io/advisories/130. Versions 0.9.7 through 2.2.2 contain a vulnerable regular expression that, under certain conditions involving long strings of semicolons in the "Set-Cookie" header, causes the event loop to block for excessive amounts of time. (@zarenner) (@stash-sfdc)
  • bf78ce5 #13387 minimatch@3.0.3: Handle extremely long and terrible patterns more gracefully. There were some magic numbers that assumed that every extglob pattern starts and ends with a specific number of characters in the regular expression. Since !(||) patterns are a little bit more complicated, this led to creating an invalid regular expression and throwing. (@isaacs)
  • 803e538 isaacs/rimraf#111 rimraf@2.5.4: Clarify assertions: cb is required, options are not. (@isaacs)
  • a9f84ef lodash.without@4.2.0 (@jdalton)
  • f59ff1c lodash.uniq@4.4.0 (@jdalton)
  • 8cc027e lodash.union@4.5.0 (@jdalton)
  • 0a6c1e4 lodash.without@4.3.0 (@jdalton)
  • 4ab0181 lodash.clonedeep@4.4.1 (@jdalton)

Downloads